WHAT IS CLAIMED IS: 

1 . A computer-implemented process for receiving media data across a 
firewall, comprising the process actions of: 
5 receiving an Internet client's encrypted media packet sent using Real-time 

Transport Protocol (RTP) message format at a media-relay server; 

retrieving a sending client's Security Association (SA) using the source 
information included in the RTP message header, 

if no SA exists, dropping the media packet at the media-relay server; 
10 if a SA does exist, making a copy of the encrypted media packet and 

decrypting the media packet; 

obtaining a Synchronization Source Identifier (SSRC) from the SA; 
using the Synchronization Source Identifier included in the decrypted RTP 
packet and comparing it with the Synchronization Source Identifier obtained from 
15 theSA; 

if the Synchronization Source Identifier included in the 
decrypted RTP packet does not match the Synchronization Source Identifier 
obtained from the SA, dropping the media packet; and 

if the Synchronization Source Identifier in the decrypted 
20 RTP packet matches to the Synchronization Source Identifier obtained from the 
SA, forwarding the packet to a network client. 
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2. The computer-implemented process of Claim 1 wherein the source 
information retrieved by the media-relay server comprises a source Internet 
Protocol (IP) address and port number found in the RTP message format. 

3. The computer-implemented process of Claim 1 wherein the media 
packet comprises audio data. 

4. The computer-implemented process of Claim 1 wherein the media 
packet comprises video data. 

5. A computer-implemented process for receiving media data across a 
firewall, comprising the process actions of: 

receiving a sending client's encrypted media packet at a first media-relay 

server; 

said first media-relay server forwarding said media packet to a second 
media-relay server; 

said second media-relay server, retrieving a sending client's Security 
Association (SA) using a Synchronization Source Identifier appended to the 
media packet that is not encrypted; 

if no such SA exists, dropping the media packet; 

if such a SA does exist, making a copy of the media packet; 
decrypting the packet; 
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comparing the Synchronization Source Identifier inside the 
decrypted media packet with the Synchronization Source Identifier appended to 
the media packet, 

if the Synchronization Source Identifier inside the decrypted media 
packet does not match the Synchronization Source Identifier appended to the 
media packet, dropping the media packet; 

if the Synchronization Source Identifier inside the decrypted 
media packet matches the Synchronization Source Identifier appended to the 
media packet, forwarding the packet is forwarded to a corporate client. 

6. The computer-implemented process of Claim 5 wherein the 
sending client sends the media packet via RTP using an RTP header, and 
wherein the first media-relay server modifies the RTP header to include the 
appended Synchronization Source Identifier concatenated with the RTP header 
prior to forwarding the media packet to the second media-relay server. 

7. The computer-implemented process of Claim 6 wherein the 
media packet is transferred by opening only two User Datagram Protocol (UDP) 
ports on an external firewall and multiple UDP ports on an internal firewall. 

8. The computer-implemented process of Claim 5 wherein the 
sending client sends the media packet to the first media-relay server after 
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modifying the RTP header to include an appended Synchronization Source 
Identifier concatenated with the RTP header. 

9. The computer-implemented process of Claim 8 wherein the 
5 first media-relay server sends the modified RTP header with the appended 

Synchronization Source Identifier to the second media relay server. 

10. The computer-implemented process of Claim 9 wherein the 
media packet is transferred by opening two UDP ports on an external firewall and 

10 two UDP ports of an internal firewall. 

1 1 . The computer-implemented process of Claim 5 wherein the 
first media relay server is in a Demilitarized Zone of a network and a third media- 
relay server is in the internal network, and wherein the media packet is sent from 

15 the first media relay server to the third media-relay server before sending the 
media packet to the second media-relay server in a different network from the 
first media-relay server and the third media-relay server. 

12. The computer-implemented process of Claim 1 1 wherein the 
20 first media relay server and the third media relay server communicate using 
Transmission Control Protocol (TCP). 
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13. The computer-implemented process of Claim 12 wherein the 
media packet is transferred by opening two UDP ports on an external firewall and 
one TCP port on an internal firewall. 

14. The computer-implemented process of Claim 5 wherein the 
first media server assigns the Synchronization Source Identifier to the sending 
client. 

15. A data structure for access by an application program being 
executed on a data processing system, comprising: 

an unencrypted Synchronization Source Identifier concatenated 
with an encrypted RTP header containing a Synchronization Source Identifier; 
and 

an encrypted media data packet. 

1 6. A system for formatting data to traverse at least one firewall, 

comprising: 

a first media-relay server assigning a Synchronization Source Identifier to 
a sending client; 

receiving a sending client's encrypted media packet via RTP at the first 
media-relay server; 
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said first media-relay server forwarding said encrypted media packet to a 
second media-relay server with said assigned Synchronization Source Identifier 
appended to the encrypted media packet; 

said second media-relay server, retrieving the sending client's Security 
5 Association (SA) using a Synchronization Source Identifier appended to the 
encrypted media packet; 

if no such SA exists, dropping the media packet; 
if such a SA does exist, making a copy of the media packet; 
decrypting the packet; 
10 comparing the Synchronization Source Identifier inside the 

decrypted media packet with the Synchronization Source Identifier appended to 
the media packet, and 

if the Synchronization Source Identifier inside the decrypted media 
packet does not match the Synchronization Source Identifier appended to the 
15 media packet, dropping the media packet; 

if the Synchronization Source Identifier inside the decrypted media 
packet matches the Synchronization Source Identifier appended to the media 
packet, forwarding the media packet to a network client. 
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